The high number of attendees and exhibitors at security confab are indication of troubled times

SAN FRANCISCO -- In the battle between enterprises and malicious hackers, the bad guys are clearly winning, judging by the sheer number of people and exhibitors at the RSA security conference going on here this week.

With an estimated 30,000 attendees and more than 400 exhibitors, RSA 2014 is the biggest event since its launch as a conference for cryptographers in 1991.

That's clearly a good thing for RSA, which by one analyst's estimates generates more than $100 million in revenues from the event. It's also a great thing for security vendors because it shows demand for their products is booming.

But the conference's growth is a also sobering reminder of the continuing challenges enterprises face in protecting their networks and data against malicious attackers. The RSA conference is not a Consumer Electronics Show or a Mobile World Congress. If demand for security products is increasing, it's because security tools are not doing the job well enough, enterprises are not implementing them properly or because hackers are finding new ways to breach networks.

Whatever the reasons, the security problems are continuing to grow for companies. It's one thing to have a home alarm system and another thing entirely when it takes guard dogs, perimeter fences, security grills, motion detectors and guns. Then it becomes an indictment of the entire neighborhood.

Year after year, vendors use RSA and similar venues to tout state-of-the-art security technology. Some of the products are enterprise tested and ready. Many are vaporware products fueled by hype from venture capital dollars.

This year is no exception. Two cavernous halls at San Francisco's Moscone Center are filled with vendors offering a dizzying array of products purportedly addressing every conceivable enterprise security need.

There are technologies for predicting, detecting, blocking, responding and mitigating attacks. There are tools that let enterprises measure risk, prioritize assets, control privileged users and monitor network behavior on a continuous basis.

Like every year, some products are touted as trend-setting, just like antivirus tools, firewall technologies, security incident management products, IPS products and data leak prevention tools were pitched a few years ago. This year, the buzz is about automated threat monitoring, network intelligence, data analytics and incident response.

Many vendors are using the breach at Target as a classic example of what could happen to enterprises that fail to implement their specific product or technology.

"If you have an intelligent opponent, it behooves us to make our systems better," says Sam Curry, chief strategy officer and chief technologist at RSA. The best way to do that, he said, is to combine traditional approaches with data analytics and selective automation of crucial processes.

Meanwhile, IT security practitioners have their own priorities. For them, the challenges are more about finding the budget and the resources needed to keep their networks and their data safe. For them, it's about secure design and development, reducing points of failure, and implementing role-based access control and principles of least privilege. It's about metrics and measuring security ROI.

It's also about people. A survey sponsored by Hewlett-Packard Co. and released at the conference shows that about 40% of available IT security jobs this year will go unfilled. About 56% of the 500 companies surveyed had no chief information security officer and only 32% offered a career path in the security field.

"What we see is a great increase in cyber offensive capabilities," on the part of hackers, said Jacob West, HP's chief technology officer. The lack of skilled professionals is creating a skills gap between adversaries and industry, he said. But that's not the only problem. The larger issue is the lack of security roles among application designers, developers, quality assurance teams and operations teams, West said.

For Greg Schaffer, CISO at technology investment firm the Circumference Group, information security is "ultimately about people, not about technology."

Enterprises can implement all the technology they want, but without the right people in place, the technology will do little to help, Schaffer said during a panel discussion.

In the information security space, "success is about incremental progress," he said. Like ants, cyber thieves will find a way to get inside even the best protected home. The key is in being able to detect and eliminate them, when they break in.

Some of the best minds in the industry are working on finding new, repeatable ways of detecting, blocking and responding to attacks in a more effective way. Some day soon they better start working more effectively.

As Gary Gagnon, CISO at MITRE, a technology research firm, said the increases in security budgets that enterprises have seen in recent years cannot be sustained. At some point, enterprises will need to find a way to bend the budget downward again.

Meanwhile, hackers keep breaking into systems, and no one can really say why that is happening, despite the billions of dollars spent on products like the ones showcased at RSA.